Yeah baby, that's Seattle in Winter..
Maybe time for an IFR rating..
Tuesday, November 06, 2007
Trusted Certificate Authority Hell
This issue has been hounding us recently when installing appliances.
Symptoms:
· When you try to verify client certs by launching a browser and pointing to the HTTPS site which requires client certs, you are prompted to "choose a digital certificate" with an empty list of client certs, even though you can see the certificate in the MMC certificate console.
What is happening..
On the IIS, if you open the event viewer, you might see a little event which looks like this
"When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp."
WTF !
After a win2k3 machine has gone through a few rounds of certificate updation (which may happen when doing windows updates), it keeps bringing in more and more trusted root certification authorities.
The list of trusted roots keeps growing until one fine day, the IIS finds that the list is too long. When performing the SSL client cert handshake, it is supposed to send a list of trusted CAs so the Browser can decide which client certs to choose from.
When the list grows too big, IIS hits this hard coded limit and finally croaks.
If someone has an idea of how to change this limit, feel free to comment..
Solution
Only way out of this?
Remove a butt load of those useless certs from no-name companies who have decided they are important enough to find a place in your trusted authorities store.
Go to the trusted root certification authorities and blow away a bunch of them, starting with those you don’t recognize and those that has Client Authentication as a purpose.
Meanwhile, don’t accidentally remove those in this list, since Windows needs them.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;293781
Symptoms:
· When you try to verify client certs by launching a browser and pointing to the HTTPS site which requires client certs, you are prompted to "choose a digital certificate" with an empty list of client certs, even though you can see the certificate in the MMC certificate console.
What is happening..
On the IIS, if you open the event viewer, you might see a little event which looks like this
"When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp."
WTF !
After a win2k3 machine has gone through a few rounds of certificate updation (which may happen when doing windows updates), it keeps bringing in more and more trusted root certification authorities.
The list of trusted roots keeps growing until one fine day, the IIS finds that the list is too long. When performing the SSL client cert handshake, it is supposed to send a list of trusted CAs so the Browser can decide which client certs to choose from.
When the list grows too big, IIS hits this hard coded limit and finally croaks.
If someone has an idea of how to change this limit, feel free to comment..
Solution
Only way out of this?
Remove a butt load of those useless certs from no-name companies who have decided they are important enough to find a place in your trusted authorities store.
Go to the trusted root certification authorities and blow away a bunch of them, starting with those you don’t recognize and those that has Client Authentication as a purpose.
Meanwhile, don’t accidentally remove those in this list, since Windows needs them.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;293781
cheers
-g
Subscribe to:
Posts (Atom)
